Europe Already Has Draft Standard For Real-Time Government Snooping On Services Like Facebook And Gmail

from the not-that-we'd-ever-use-it dept

As the old joke goes, standards are wonderful things, that's why we have so many of them. But who would have thought that ETSI, the European Telecommunications Standards Institute, has already produced a draft standard on how European governments can snoop on cloud-based services like Facebook and Gmail -- even when encrypted connections are used?

ETSI DTR 101 567, to give it the full title, was pointed out to us by Erich Moechel, who has written an excellent exploration of its elements (original in German). Here's the summary from the draft standard (Microsoft Word format):

The present document provides an overview on requests for handover and delivery of real-time information associated with cloud/virtual services. The report identifies Lawful Interception needs and requirements in the converged cloud/virtual service environment, the challenges and obstacles of complying with those requirements, what implementations can be achieved under existing ETSI LI [Lawful Interception] standards, and what new work may be required to achieve needed Lawful Interception capabilities. Cloud Services in whichever forms they take (Infrastructure, Software, Platform or combinations of these) are often trans border in nature and the information required to maintain Lawful Interception (LI) capability or sufficient coverage for LI support may vary in different countries, or within platforms of different security assurance levels. This work aims to ensure capabilities can be maintained while allowing business to utilise the advantages and innovations of Cloud Services and was undertaken cooperatively with relevant cloud security technical bodies.

As that makes clear, this is being presented as "maintaining" interception capabilities in a world where cloud computing makes previous approaches inapplicable. The new standard specifically mentions social networking, file sharing and video conferencing as new areas that need to be addressed.

One key section spells out how this is to be achieved:

If the traffic is encrypted, the entity responsible for key management must ensure it can be decrypted by the CSP [Communication Service Provider] or LEA [Law Enforcement Agency].

In order to maintain LI coverage the cloud service provider must implement a Cloud Lawful Interception Function (CLIF). This can be by way of Applications Programming Interface (API) or more likely ensuring presentation of information in a format recognisable to interception mechanisms. Deep packet inspection is likely to be a constituent part of this system.

As this makes clear, along with the intercepted information, the standard envisages encryption keys being handed over routinely. Just to make things complete, DPI -- deep packet inspection -- is also regarded as a likely element of the system.

Etsi has faced criticism in the past for the pre-emptive inclusion of wiretapping capabilities, a decision that critics say encouraged European governments to pass their wiretapping laws accordingly. According to Ross Anderson, professor in security engineering at the University of Cambridge Computer Laboratory, the institute has strong links with the intelligence agencies and has a significant British contingent, along with a number of US government advisers.

It's a classic case of policy laundering; here's how it will probably work.

The British government insists now that it will "only" gather communications data, and not content. At the same time, it will require that ISPs adopt the new ETSI cloud interception standard (once it's been finalized) in the "black boxes" that they must install under the proposed snooping legislation. That will put in place all the capabilities needed for accessing encrypted streams -- since those providing cloud services will be required to hand over the encryption keys -- and hence the content. The UK government may not intend accessing content today, but thanks to the wonders of function creep, when it decides to do it tomorrow the facility will be there waiting for it.

Meanwhile, European governments will be able to point to the UK's adoption of the ETSI standard as just "good practice"; they will ask their own ISPs to implement it, while insisting that they too have no intention of accessing the contents of people's Internet streams either. Until, that is, the day comes -- probably in the wake of some terrorist attack or pedophile scandal -- when the governments will note that since the capability is available, it would be "irresponsible" not to use it to tackle these terrible crimes. The US government will then bemoan the fact that Europe is taking better care of its citizens than it can, and will therefore pass laws requiring US ISPs to install similar real-time access to their systems, and for cloud-based services to hand over the encryption keys. Luckily, there will be a well-tried European standard that can serve as a model....

Reader Comments

More Spying

Another day and another tale of governments using Tech to spy on people.And of course we will see more Draconian Bills either passed or Voted upon in our own Nation.We just had one that thankfully did not pass.Not because of the Content so much as because of the Dysfunctional Congress.
Thank You this once for being so Dysfunctional, US Gov.
The new saying to replace the "Save The Children" will be "We Must Stop Cyberwhatever" .

Re:

You can bet the farm that if they implemented their man-in-the-middle approach, using standard government bull-in-china-shop protocol, they would leave doors swinging wide open on their hinges.

First thing I thought on reading the article was "So, if they're holding all the encryption keys ready to hand over to the government on demand, then what happens when that store (inevitably) get hacked?"

Re: Re: Re:

Re:

I assume, maybe incorrectly, you are being sarcastic? If not, then maybe you should re-read what you wrote, the government is here "to serve us", not the other way around. Why is it they feel they can snoop on us when we can't even see advance text of international trade agreements? Seems they are the ones with something to hide.

out of curiosity, who was the arse hole that started all this crap? the UK used to be a responsible place to live. it is fast becoming a 'democratic China' with more and more privacy and freedom violations executed by the Government and more and more new laws being introduced that remove privacy and freedoms already established, all in the name of protecting the people. if what is happening is 'for the people', dont they think that perhaps the people need to know what is going on, why it's going on and be allowed to have a say in whether or not to let it continue going on and whether we need protecting from it? i dont think the government should have such control anyway, particularly when they use the 'security of the nation' as the excuse, when what they are really after is to keep a closer watch on what their own citizens are doing. it's also not right for certain powerful people in the US with their distorted view of the world to keep influencing what happens elsewhere just to try to spread that view. it's even worse for stupid idiots to go along with that distorted view by doing what they want.

Who started it?

Difficult to tell. There was some trend in the nineties to go into that direction, more prohibitions, more surveillance, all over most countries, and all over most political parties.

There were/are certainly some drivers of it, NeoCons for instance, but the general mentality has shifted. Everyone had and has its pet-issue which he wants prohibited. From alcohol and drugs to prostitution and pornography, to pollution to guns.

9/11 was of course the first high, but the trend hasn't subsided since then. None of the draconian laws in the US (and elsewhere!) enacted in the aftermath were ever repelled.

I'm tempted to write a book about "The Rise of Fascism in the 21st Century". Because that's exactly what is happening.

Cue the encryption devs...

One thing this might lead to is an increase in pre-encrypted traffic that is then sent over the back-doored encrypted cloud service. What good will the monitoring be when they discover that they need more keys to actually see what the content is...?

Something to think about in this ridiculous game of whack-a-mole intelligence gathering.

I don't think the problem is having the capability to conduct this kind of surveillence operation; I can remember enough of the Troubles to recognise that being completely unable to intercept the communications of people who are planning on blowing shit up on a large scale is a problem.

But if we're going to have this capability, there needs to be some fairly strict rules on what it it can be used for. Rules that cannot simply be made to go away the first time something bad happens, and more importantly, carry actual serious penalties for breaking them. Otherwise, not only does function creep guarantee that everyone will have their every thought and deed taken down to be used as evidence against them any time the state (or a sufficiently unscrupulous tabloid newspaper, aided and abetted by some script kiddies), but there'll be so many false positives to wade through that the actual bad guys get lost in the background noise.

Re:

I don't think the problem is having the capability to conduct this kind of surveillence operation

I do. This type of capability has always been abused, often widely, regardless of what rules or oversight is put into place. There is no reason to think that the future will be any different.

I understand that this capability can be used to prevent great harm, but it is also used to cause great harm, so that argument doesn't hold as much weight with me as it otherwise might.

But I do make a distinction: it's one thing to allow police access to information that is gathered as a side-effect of engaging in an activity. It's an entirely different thing to require that activities be conducted in a way to specifically allow for such surveillance. The latter is, in my opinion, simply despotic.

Re:

Failure of Law.

The passage reads:
"Lawful Interception"

WRONG!!
It's not lawful, its "LEGAL Interception".
The paper has no legal validity. Or should I say, will fail in a court of law.

What these clowns do not realise if anyone uses any form of peer to peer communication without reference to any central server using encryption (suitably adjusted) then there is no simple real time perusing documents/audio/video.

For instance. The west readying for war have done their best to cut out the real Syrian news agency (sana.sy) from the public eye but if you go there using the IP# you have a direct route to the other news, keeping the eye of Sauron off your back.

"Fascism should more properly be called corporatism because it is the merger of state and corporate power." -- Benito Mussolini

if the government, any government, were in power to serve us, why is it that we are the last ones to know what the fuckers are up to, particularly when whatever it is they are up to affects us the most? everyone else in whatever country seems to know what's going on, except us. why is it that we never get the opportunity to even give opinions on what they are up to? why is it the first we know of something is when some poor sod gets thrown in jail on some trumped up charge that no one knew existed?

Last one to leave the planet, turn the lights out.

This is all getting rather beyond the pale, beyond a joke and any other hackneyed phrases you can think of to apply to government snooping. Why the hell should this be allowed to happen? Private mails and conversations are meant to be just that - PRIVATE! Do you hear that, governments of the world? I just hope that even stronger encryption will ensue but the government would probably then make that illegal. Guilty if encrypted. I gather it's already happened in a way with at least one person refusing to hand over encryption keys. I would support anyone refusing to reveal personal details. It would be like the Post Office opening and reading each and every letter they handle, although nothing would surprise me these days! Extremely depressing situation.

The US government will then bemoan the fact that Europe is taking better care of its citizens than it can, and will therefore pass laws requiring US ISPs to install similar real-time access to their systems, and for cloud-based services to hand over the encryption keys. Luckily, there will be a well-tried European standard that can serve as a model....